Getting in Control

8/3/2019 Getting in Control

1/6

Alcyone Consulting 2005 1 / 6

Getting In-Control - Combining CobiTand ITIL for IT Governance andProcess Excellence

Executive Summary:Nearly all of us who are running an IT shop feel the need to gain or increase control,predictability, and efficiency. Thats true whether weve just come off achieving CMM level 3, orare still struggling with legacy IT management practices. Solving these problems from scratchcan take daunting amounts of time and effort, and still leave you vulnerable to audit issues.

CobiT and ITIL together are a powerful force for IT Operational efficiency and effectiveness.CobiT provides a framework for IT governance, aligning IT with business requirements. ITIL isa collection of best practices in Service Management, Security, Infrastructure Management, andApplication Management. Together they can make the process improvement task much moreachievable.

Using CobiT and ITIL in combination links proven IT best practices (ITIL) to CobiTs regulatoryand business requirements. CobiTs objectives define the Key Performance Indicators for eachmajor IT process area, assuring both a well-run IT Organization and the ability to meetregulatory requirements.

This paper describes CobiT and ITIL, why Alcyone Consulting combined them, and how yourorganization can benefit from this work for better IT effectiveness.

What is the business problem?Before we introduce CobiT and ITIL, and the value of combining them, lets review the businessproblem that makes this a compelling discussion. The following describes a typical publiccompanys IT organization and change drivers:

Your auditors are telling you that your team is not doing something right andyou have to change it now!

The business is telling you that you dont understand their needs orare not responsive enough.

The CEO is telling you that you have to make your IT organizationmore cost effective.

On top of all this, you are being asked to make improvements while living within this yearsoperating budget. Leveraging either CobiT or ITIL will help you with the above objectives. Thequestions are: What are they? How do you know which to use - and when?

ITIL

is a Registered Trade Mark and a Community Trade Mark of the UK Office of Government Commerce.

CobiT

is a registered Trade Mark of The Information Systems Audit and Control Foundation, and the IT Governance Institute


2/6


What ARE these things?

CobiT: Control Objectives IT

CobiT was developed in the early 1990s by Information Systems Audit and Control Foundation(ISACF) with the goal of providing a set of best practices that are meaningful and useful to ITStaff, auditors, and customers. A major research effort delving into all relevant existingstandards and best practices was undertaken to develop the CobiT objectives.

The initial release of the Framework,Control Objectives and Audit Guidelines, was in 1996.Over the next four years two additional books were published:Implementation ToolsetandManagement Guidelines. These books contain maturity models, performance indicators andcritical success factors.

A quote from the introduction:

The resulting control objectives have been developed for application toorganization-wide information systems. The term generally applicable andaccepted is explicitly used in the same sense as Generally Accepted AccountingPrinciples (GAAP).

CobiT is organized into four domains: Planning and Organization, Acquisition andImplementation, Deployment and Support, and Monitoring.

Each of the high-level control objectives in the above diagram are divided into detailed controlobjectives. COBIT identifies a broad set of 318 control points (e.g., Procurement Control)designed to provide reasonable assurance that certain objectives will be achieved. What itdoes not do, is describe a complete set of IT processes more on this to come.


3/6


CobiT was largely ignored by the marketplace until the Sarbanes-Oxley Act of 2002 (SOX).Once this act took effect in the United States, CobiT was able to show the direction forcompliance was already in place. SOX requires that companies certify internal financialprocesses, and that auditors issue opinions regarding the completeness of those processes. Inaddition, SOX requires that companies understand and document internal controls aroundfinancial reporting. And thats exactly what implementing CobiT is able to deliver.

ITIL: IT Infrastructure LibraryITIL was developed in the late 1980s by the UKs Central Computer & TelecommunicationsAgency (in April 2001 the CCTA was renamed into Office of Government Commerce OGC).The OGC started the project in recognition of the fact that government organizations werebecoming increasingly dependent on Information Technology. The objectives of the OGC indeveloping ITIL were to promote IT business effectiveness and to reduce costs whilemaintaining or improving IT services.

The specific ITIL best practices were developed by involvement of leading industry experts,consultants and practitioners. It is the only holistic, non-proprietary best practice frameworkavailable in the technology marketplace. As a result, it has quickly become the globalbenchmark by which organizations measure the quality of IT service management.

The Infrastructure Library went through a major re-write in the 1990s. There are eight books inpublication today covering everything from implementing ITIL processes through application lifecycle management and the core of ITIL IT operations processes. The following graphicrepresents the ITIL library in its current form:

Source: Information Technology Infrastructure Library

Within the eight domains, each books processes can be reviewed, utilized, and implementedindependently of the others. That said the overall provision of IT services can best be optimizedby considering each process as part of the whole.

The most popular (and first published) ITIL books are Service Support and Service Delivery.They describe the processes that are common to every IT service provider and must be


4/6


An informal survey of ITOrganizations in theChicago-land area showsthat many are implementingSOX compliance in aprocess vacuum.

The additional paperwork (orelectronic equivalent)generated for compliance

does not add value to the ITwork flow - but ratherdetracts from productdeployment and incidentresolution activities, andcomes off as additionalregulatory burden

addressed to enhance the provision of quality IT services for its customers. These sets form thebasis of the certifications granted by the Netherlands Examination Institute for IT (EXIN) and theInformation Systems Examinations Board (ISEB).

Many organizations have embraced the ITIL concept because it offers a systematic andprofessional approach to the management of IT service provision. There are many benefits tobe reaped by adopting the guidance provided by ITIL. Chief of which is getting to the goal ofcontrol and predictability much more quickly than starting from scratch.

When should you use one or the other?In general, CobiT is used for audit functions and ITIL is usedfor process improvement. We recommend that, instead ofselecting between CobiT and ITIL, you combine both fromthe beginning in all process improvement activities. In thelong run, you will eventually get there, so starting with anintegrated approach is the most effective option. It will saveyou time and money and provide a process which meetsstakeholder requirements earlier in the game.

As a public company, your auditors will expect use of CobiT

for SOX compliance. As a growing IT Organization, you willformalize your processes and procedures either based onITIL or another framework which borrows heavily from ITIL(for example the Microsoft Operations Framework.)

As described earlier, both ITIL and CobiT are excellent toolsfor the IT Organization to improve processes and align ITfunctions with business and regulatory requirements. Inbringing them to the table as one initiative instead of two separate initiatives, you gain from botha single work effort and an integrated IT process and compliance solution.

CobiT and ITIL complement each other. For example, the COBIT framework identifies a

Software Release Policy as a control point, but leaves it to the organization to define thoseprocesses and procedures associated with Software Release. ITIL describes the best practicesassociated with Software Release Management; the interfaces to other activities such asInfrastructure Deployment, Change Management and Configuration Management; and how toimplement Software Release Management within the ITO.

What is the industry saying?

Gartner Group:

CobiT and ITIL are not mutually exclusive and can be combined to provide a

powerful IT governance, control and best-practice framework in IT servicemanagement. Enterprises that want to put their ITIL program into the context of awider control and governance framework should use CobiT.

(June 2002 / TG-16-1849)


5/6


Meta:It is critical, that organizations taking advantage of the COBIT framework have aset of defined IT processes/procedures and utilize COBIT as a control checklistagainst their defined IT processes/procedures.

(Oct 2004 / Meta Practice #2263)

Alcyone Process Framework for IT Effectiveness:At Alcyone Consulting, we have performed the upfront analysis and combined ITIL and CobiT tocreate an effective IT process framework that enables you to quickly and easily understand theimpact of regulatory requirements on every aspect of your IT processes. Our framework alsoallows you to identify the impact a specific IT process has on your regulatory environment.

The Alcyone process framework isbased on a review of the completeset of ITIL books (not just ServiceManagement.) After laying out theinitial ITIL process families, we

aligned all 318 detailed CobiTobjectives to a specific processfamily. The detailed CobiTobjectives which were yetunassigned we grouped intoprocess families which fitharmoniously within the existingframework. This completed theAlcyone Process Framework for ITEffectiveness.

As the Alcyone framework is based on existing standardized IT frameworks, you are not locked

into a proprietary solution that depends upon one company to maintain. You are able toleverage the training and tools which exist for CobiT and ITIL in the marketplace today and inthe future.

Leveraging the Framework in your organization:We start our engagements by identifying all known IT processes, whether they have beendocumented or are yet-to-be-documented within your organization. We then map thoseprocesses into the appropriate process family. After this exercise, you will have a solidassessment of the completeness of your IT processes which prepares you for making thenecessary improvements.

Next we work with company executives, the legal department and auditors to identify theregulatory drivers for your business, which are then aligned to their appropriate CobiT objective.For SOX and HIPPA this is well understood, and auditors have already identified the specificCobiT objectives. Now we look at your organizations existing IT processes that are affected byyour regulatory environment and answer these questions:


6/6


Do you have a process?

Is the process documented?

Does the process address the Key CobiT Objectives?

Will your auditor agree that your process is sufficient?

The answers to the above questions will give you a good idea of how well the IT processesprotect your company and its stakeholders. The resulting information is typically eye-openingand can lead to projects geared to improving your IT Organizations effectiveness (not to

mention the sleep of your companys officers).

About Alcyone Consulting:Alcyone Consulting is an IT Consultancy providing IT Strategy and Governance services. Ourprincipals have worked together for over a decade providing high quality IT solutions to a widerange of clients. Our practitioners are all former Big-5 consulting professionals with years ofexperience.

The Alcyone Process Framework for IT Effectiveness comes out of a rich history of processactivities, starting in the late 1980s with the introduction of Service Level and Operational LevelAgreements, and then maturing into IT Support Organizations and the subsequent reporting

metrics. In the early 1990s Alcyone practitioners created some of the initial developmentmethodologies for the then-new client/server systems. By the mid 1990s we were performingCapability Maturity Model assessments for our own development organizations.

Exposure to the ITIL concepts started in the late 1990s with growing an IT support organizationfrom 14 Chicago based individuals to a global team of 80 supporting over 1200 users in sevenlocations in five countries. This specific framework comes from working on client engagementswhich required HIPPA and SOX compliance in addition to IT process improvements.

At Alcyone Consulting we speak IT, CobiT, ITIL and Business. We leverage this to provide ourclients with high quality solutions that maximize their Information Technology investment.

For more information contact Mary Kay Laurent:

[email protected]

Getting in Control

Documents

Transcript of Getting in Control